🏆 humbled. Mussy here — honored to be named Influencer of the Conference alongside Dave @forensicdave 🙏
But let’s be real: this belongs to you all from #OBTS.
No researchers → no talks → no demos → no clips → no post → no prize. Full stop.
Massive love to Andy @andyrozen (backbone of the show) and Patrick @patrickwardle for building the space, and to every speaker, volunteer, and hallway brain who made #OBTS 🍏 what it is.
I’m just the loudspeaker — you wrote the music.
Drop your favorite session below, tag a speaker, and let’s push their work even further. Ibiza energy stays on. 💥🌴📣
#OBTS 🍏
The #OBTS community is simply incredible!! 😍
From trainers & speakers to students & attendees, you made this the best #OBTS yet 🙏🏽
Photos, recordings & slides coming soon!
Funbye, Ibiza. ✈️🌊
Nearly half a decade of #OBTS 🍏—not just events, but chapters.
Grateful to Andy & Patrick, the organizers, every talker, and all attendees who kept the bar high and the door open.
We leave the island; the momentum comes with us.
See you at the next chapter… Hawaii🌴🌺
exit(); event — but with a smile.
Sea breeze, full notebooks, zero dull moments.
Huge thanks to the organizers — Andy @andyrozen & Patrick @patrickwardle — for a flawless sail, the talkers for turning research into moments, and the attendees for the questions, laughs, and late-night hallway magic.
Objective by the Sea felt less like an ending and more like a handoff.
Until we boot again to Hawaii #OBTS v9.0🍏. 🌊✨
🔐 Security bulletin — After “Dylib Hijacking: Dead or Alive?”
Verdict: alive (with fewer hiding spots).
Patrick Wardle @patrickwardle walked us from the OG research to macOS 26, then proved on stage that sloppy search paths, loose rpath habits, and mis-bundled PlugIns still open the door.
Do now: audit rpath/loader_path/executable_path, lock bundles with Hardened Runtime + Library Validation, and alert on unexpected Frameworks/PlugIns loading inside app bundles.
Classic technique, modern teeth. Only at #OBTS 🍏 do you get the history, the live receipts, and the fix—back-to-back.
Patrick Wardle @patrickwardle just dropped a live dylib hijack: “normal” app + planted lib → instant code exec & persistence.
Dead or alive? Still kicking. ⚡️ #OBTS 🍏
🪧 WANTED: dylib hijacking — Dead or Alive?
Last talk of the conf and the one-and-only Patrick Wardle @patrickwardle is back on stage to settle it. First spotted by a younger Patrick years ago, macOS got tough with mitigations… but is the hijack a corpse or a comeback kid on macOS 26? 🧟♂️📚
Expect history → malware war stories → Apple’s counterpunches → live demos, detection tips, and a few jump scares.
Finale energy: maximum.#OBTS 🍏
⚠️ Recall notice: “GTA 6 early-access” downloads on macOS—contaminated with Cthulhu Stealer. 🎮🐙
Lure hit gamers/crypto, then imploded when the crew’s OPSEC failed and the admin pulled an exit scam.
Tara Gould traced it end-to-end with OSINT + RE—how hype became theft, then evidence.
Only at #OBTS 🍏 do we learn how to turn leak-bait into a takedown playbook.
🎙️ True-Crime: Cyber Edition — OopsSec: The Short-Lived Campaign of Cthulhu Stealer
macOS creds heist targeting gamers & crypto (2023–early ’24) 🕹️💸
Plot twist: the crew’s own admin (“balaclavv”) pulled an exit scam, and sloppy OPSEC (hardcoded creds, misconfigured servers) left a breadcrumb trail.
How it unraveled: OSINT + reverse engineering turned greed into doxxed infrastructure and a dead campaign.
Moral: attackers make mistakes; defenders weaponize them.
Tara Gould — only at #OBTS 🍏 do eldritch thieves get caught by their own tentacles. 🐙
🛰️ After-Hunt Debrief — “Placeboed Apples” (iOS spyware detection)
Hunter: Matthias Frielingsdorf @Helthydriver | #OBTS 🍏
Objective: turn chaotic iOS forensic dumps into a huntable map for Pegasus-class spyware.
Tactic: build a harmless malware simulator that reenacts real behaviors (e.g., contact dips, sensor pokes, timed exfil) and watch which forensic stores light up.
Signals: repeatable hotspots across specific DBs/paths → promoted to high-value artifacts; clean IOCs you can actually pull.
Outcome: hours of blind triage shrink to a priority artifact map and a Monday-ready workflow.
Playbook: emulate the threat → capture the footprints → hunt the lit paths first → validate and loop.
He didn’t chase the flying horse—he built a decoy and followed the hoofprints. 🐎
Only at #OBTS 🍏 do you leave with a simulator, a checklist, and a faster way to catch the real thing.
🔴 LIVE at #OBTS 🍏 — Placeboed Apples
@Helthydriver spins a harmless iOS malware simulator (Pegasus-style)… and the phone lights up its own forensic hotspots.
Chaos → checklist. Hunt smarter.
🗂️ HUNT ORDER — iOS spyware detection (“Placeboed Apples”)
Situation: iOS has no ESF hooks; you’re staring at massive forensic dumps.
Mission: find spyware fast.
Execution: build a malware simulator that imitates real families (incl. NoClip) → run it → watch which DBs/paths light up → promote those to a high-value artifact list for triage.
Result: thousands of haystacks become a hit list of indicators you can actually hunt.
Only at #OBTS 🍏 do we fight spyware by pretending to be it—and win.
Hunter: Matthias Frielingsdorf @Helthydriver
After FSKit: Sharvil Shah @sharvil spun a userspace filesystem that’s both stage and spotlight—bait folders go out, snitch paths call out snoops in real time—then flipped it to ask if malware could hide on the same set. Net: it can (if you’re not watching), but today’s playbook makes it your house again: tag mounts, watch odd opens/writes, let the decoys sing. #OBTS 🍏
Throwback to Spain — 4 years ago at #OBTS 🍏 I met Sharvil Shah @sharvil ; today he’s back like clockwork, leveling us up again.
Talk: Exploring FSKit: Writing Filesystems for Fun, Profit, and Defense (…and Evasion?)
FSKit = Apple’s userspace filesystem kit: build a pseudo-FS, wire it as a sensor, and turn folders into bait & tripwires for infostealers. 🪤📂
The spicy bit: the same knobs that help defenders catch thieves might also give thieves a new hiding spot — and we’re testing both sides live. 🔍🕵️
Old friend, new APIs, same OBTS magic: make it fun, make it useful, ship receipts.
Drop your best “bait file” name below — let’s crowdsource the honeypot. 🧠🔥
Post-talk snapshot — XUnprotect (XProtect Remediator)
We walked in thinking “just YARA.” Walked out with:
• a Swift DSL (Result Builders) spelling out XPR’s rules,
• sneaky OCR checks catching Gatekeeper-bypass antics on screen,
• Apple-only intel—with TriangleDB fingerprints,
• and new tools to track XPR updates like a threat-intel feed.
Koh Nakagawa @tsunek0h | Only at #OBTS 🍏 do black boxes leave as blueprints you can actually use.
🔐 DECLASSIFIED // XUnprotect — macOS XProtect Remediator decoded (live at #OBTS 🍏) | Koh Nakagawa @tsunek0h
Findings:
• Not “just YARA.” XPR’s detections live in a custom DSL built with Swift Result Builders (SwiftUI vibes, but for rules).
• Stripped Swift binaries? Cracked with custom static/dynamic tooling.
• Wild card: OCR used to spot Gatekeeper-bypass shenanigans right on screen.
• Hidden intel: Apple-exclusive TI, incl. clues touching TriangleDB implants.
Only at #OBTS 🍏 do we turn a black box into a blueprint you can actually run with.
Book Signing Alert — Patrick Wardle @patrickwardle , The Art of Mac Malware: Vol II — Detection
Today at #OBTS 🍏, the only signatures we’re excited about are the ones on your title page (the other kind still catch malware 😉).
Bring/Buy your copy, snag the ink, and swap a quick IoC-for-insight with the author who literally wrote the playbook.
Limited pages, unlimited nerdery. See you at the table.